IMPORTANT UPDATE TO VIDEO
The video states that you can download a new, rekeyed certificate from GoDaddy as soon as a new line appears in the history. This is not true, you must wait some number of hours before rekeyed new certs are available. Only true on rekeys, not new keys.
So the full steps for the process are thus:
CREATE A NEW DIRECTORY IN WHICH TO PREPARE THE KEYSTORE! Cd to new directory.
CREATE THE KEYSTORE
keytool -genkeypair -keystore bourne.keystore -keypass bourne -storepass bourne -keyalg RSA -keysize 2048 -alias tomcat -deststoretype pkcs12
For FirstName/LastName: www.example.com
Then anything for department
Organization Put the full name in for human reading consumption
City SOUTH EASTON
State MASSACHUSETTS
Defaults the rest (US)
GENERATE THE CSR (THE REQUEST FOR A NEW KEY FOR GODADDY)
keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore bourne.keystore
This will create a csr.csr file in the same folder. Type (e.g. cat csr.csr) it out, the copy everything into the clipboard.
Go to the GoDaddy site. FROM THE GODADDY HOMEPAGE, under the user name find “My Products”. The under SSL CERTIFICATES, use the “Manage” button.
Generate or rekey the certificate. Paste the CSR into the csr input field. Select your domain options, generate the certificate.
To confirm that the certificate is ready, go back to the QUICK LINK for Manage SSL Certificates again and choose HISTORY on the SSL management page. You should see the new certificate on the top of the history list. If yes, go back to the Manage SSL Certificates page and Download the ZIP file. You will have to choose the Web Application Server (currently TOMCAT).
Get the GoDaddy root cert gdroot-g2.crt from their repository ( This is not in the ZIP file you downloaded with stuff related to our specific certificate! I also get the intermediary key from the repository, too. That’s gdig2.crt.
I upload the ZIP to my server before I unzip. Also upload the GoDaddy root cert gdroot-g2.crt and intermediate cert gdig2.crt. SSH to the server and move the ZIP and GoDaddy root to the folder holding the keystore. Unzip the ZIP file. You’ll get 3 .crt files from it:
gd_bundle-g2-g1.crt – A bundle of other keys used to overcome a Java problem with SHA1 and SHA2 (I don’t use it).
gdig2.crt.pem – Intermediate cert but PEM format (I don’t use this either)
14randomchar.crt – Your private key/cert
INSTALL THE CERTS
Make sure you use these aliases (especially the tomcat alias on your private key cert, the last one)
FIRST, THE GODADDY ROOT
keytool -import -alias root -keystore bourne.keystore -trustcacerts -file gdroot-g2.crt
NEXT, THE INTERMEDIATE
keytool -import -alias intermed -keystore bourne.keystore -trustcacerts -file gdig2.crt
FINALLY, YOUR PRIVATE KEY (change the filename to what is appropriate from the ZIP)
keytool -import -alias tomcat -keystore bourne.keystore -file 529e3d67f9bee86f.crt
Your keystore should be ready. I like to list it’s contents:
keytool -list -v -keystore bourne.keystore
Or non-verbose:
keytool -list -keystore bourne.keystore
For non-verbose, I see this:
—————————————————————————–
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
root, Mar 23, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B
tomcat, Mar 23, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 1C:B4:8A:61:AE:A8:F7:15:AC:9F:7D:EC:30:3A:F5:A9:E6:E3:C2:6D
intermed, Mar 23, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
—————————————————————————–
Change the ownership on the keystore:
sudo chown tomcat:tomcat bourne.keystore
Change the permissions on the keystore:
sudo chmod 644 bourne.keystore
Check it:
ls -al bourne.keystore
-rw-r–r– 1 tomcat tomcat 7215 Mar 23 18:21 bourne.keystore
Configure tomcat’s server.xml file (Located on my server in /usr/share/tomcat8/conf/server.xml)
The parenthesis are actually angle brackets, but Youtube does not permit those in comments. So make them XML angle brackets for open/close.
(Connector port=”8443″ maxThreads=”150″
scheme=”https” secure=”true” SSLEnabled=”true”
keystoreFile=”/etc/tomcat8/bourne.keystore” keystorePass=”bourne”
clientAuth=”false” sslProtocol=”TLS”)
(/Connector)
You may need to forward port 443 to 8443 (IF YOU update software using “yum update”, it can reset iptables)
Copy the keystore to where you reference it in server.xml
sudo cp bourne.keystore /etc/tomcat8
sudo ls -al /etc/tomcat8/bourne.keystore
-rw-r–r– 1 tomcat tomcat 7215 Mar 23 18:21 bourne.keystore
Restart tomcat
sudo service tomcat8 restart
Test:
/end
Nguồn: https://hip-hop-music-classic.com
Xem thêm bài viết khác: https://hip-hop-music-classic.com/tong-hop/
thanks, your information is very good.
Hii I forget to generate keystoree in starting I generated .csr without add keystore and then generate ssl on go Daddy with .csr so we need to create certificate again aur how to use keystore in .csr after getting certificate
completely useless video. doesn't work for newer versions of tomcat.
Thanks for the video and information.
Hey Joe, thanks for this information, I was struggling to setup a SSL into my Amazon Ec2, I just fallowed step by step your video and everything is working good. Thanks a lot !!! God bless you. Regards from Mexico
This is great information Joe, Thank you so much for the video.
This video was very useful to implement my ssl on jboss. Thanks for the video mate.
Hi Boston Joe.
I have an Apache server on Amazon EC2. My Godaddy SSL cert expired in June. I renewed it, but I just can't seem to get it installed. Can you help me? It seems that you also have Tomcat knowledge. I also have a Tomcat server at EC2 which is running but is not accessible on the internet. Perhaps you could help me with that server also. Please reply. Thanks
hi can you help me how to do this in httpd server.
my private key is changed when i was installing ssl for nginx. how can i import this private key in my bourne.keystore file and remove old crt (private file)
does it apply for goDaddy Wildcard ssl too? I'm using tomcat in my own hosting
I am trying to use it JAN 2019. Thanks for this video
Hello Boston,
What password are we suppose to give after this command 'keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore bourne.keystore'?
Thanks for your video 🙂